AppArmor Confinement

The following profiles have been identified and prioritized as targets for AppArmor confinement. A number of profiles already exist and are not included in this list. Please note that a high priority does not indicate a committment to develop the profile during the current development cycle.

Top priority

postgresql

tomcat (a third party changehat plugin exists, but is old and needs to be updated for tomcat6)

look into containerized-packages (as in apt-get install apache-chroot). Special attention on virtual hosting, updating and adding packages and modules. Another option would be to develop an apparmor profile and/or selinux policy.

Implement more useful SAK that does not kill a running X server/session (Secure Attention Key: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=blob;f=Documentation/SAK.txt;hb=HEAD). The current SAK implementation closes everything that has /dev/console open, including entire tty7 (graphical display), while the Windows implementation is more useful because there is an option to require Ctrl-Alt-Del prior to entering any log on password (initial log on, re-log on after returning from screensaver, etc.). LP: #1037653

have harvest better integrate with security fixes (talk to dholbach and jorge)

focus and ask what is keeping people from adopting Ubuntu

we should also identify several areas where we become experts and give all the information-- eg if a salesperson is in front of a potential client and is asked 'tell me about all your logging software' or 'tell me all the ways you handle user credentials and authentication'

look into USN-C (community USN) and a way to attach the name of the committer/uploader as a way to increase involvement (though better reputation)